Conscrypt: Don't throw away all altnames when a bad one is seen
Conscrypt is strict in following RFC 5280's requirement that DNS
alternative names listed in X.509 certificates must be IA5Strings (aka
7-bit ASCII), with international domain names encoded in Punycode,
but the existing implementation throws an exception when it encounters
a nonconforming name, which results in the entire list of altnames
being discarded whenever any of them are invalid.
This change makes it so that only the nonconforming name is ignored,
returning any other conforming names.
There is a bit of adjustment to some of the other assert statements
in the test because the canonical name in a certificate is ignored when
altnames are present, so some of the test certificates change from the
CN verifying to the CN not verifying due to the previously-discarded
valid altnames now showing up.
Bug: 1693101
Test: cts run -m CtsLibcoreTestCases
Change-Id: I30bda625feb49fec45f5163e51ddb6486a96ca2f
1 file changed